Port Forwarding Configurations do not working

baurkikacisco · ‎10-18-2012

Hi,

I have issues with port forwarding. I did, but it didn't work. Then I tried different ip addresses. Now I don't know how to delete those configurations, because when I try to overwrite it says already exist. And still port forwarding is not working. I did: ip nat inside source static tcp (ip and port numbers)

Our device is 1841, also we have firewall within this router. DHCP is in our 3750.

Please help.

Thank you.

Muhammad Thanveer · ‎10-18-2012

can u post the configs removing sensitive areas.....

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

baurkikacisco · ‎10-21-2012

Here is it:

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname PASCS_ROUTER

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

no logging buffered

enable secret 5 $1$Znyz$M8Me9FKTO0yB/w2xUStt6.

!

no aaa new-model

clock timezone EAST -5

clock summer-time EAST recurring

dot11 syslog

ip source-route

!

ip cef

ip domain name mydomain.com

ip name-server 167.206.112.138

ip name-server 167.206.7.4

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-4141110999

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4141110999

revocation-check none

rsakeypair TP-self-signed-4141110999

!

crypto pki certificate chain TP-self-signed-4141110999

certificate self-signed 01

30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 34313431 31313039 3939301E 170D3132 30393139 30373436

34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31343131

31303939 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100AB76 5A57E8F2 F85E26C5 B850C38E 4F7E9148 1729FD72 36DB3FD0 1E42918D

BB44E448 739A88A0 145741A8 05335F58 307185D6 86FA5181 0C491D31 5C29E036

FF3336ED DBCB4C67 323E6841 63E7D27B B908562C 4E21DE16 508771F8 A5BB0ADE

0C0491E8 0536757D 525A39FA 25CF87EA 4942A86C 12006C5B 1BCCB491 C91602BE

C21D0203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603

551D1104 1D301B82 19504153 43535F52 4F555445 522E6D79 646F6D61 696E2E63

6F6D301F 0603551D 23041830 16801469 2BFE28CC A4414F73 41E6DE91 AB0F5DEF

DF111B30 1D060355 1D0E0416 0414692B FE28CCA4 414F7341 E6DE91AB 0F5DEFDF

111B300D 06092A86 4886F70D 01010405 00038181 00162F4B 41EAF909 B62CD44E

CD58B75E 7F03D5D6 AD672FF4 84186DC6 0566007C 57D1560A 9FB66560 2A785A1F

11BFE322 20C4744E 8A946A5E A1607E9F 0798E750 4C6CE41B 2C19E059 52821ADB

C2958FC6 D93F0070 88A73CE6 A24798F5 5AE6BF8C 93870227 7E5884E2 D0532BD6

5D6EF0D0 726C3F41 74015555 EDCC019D 81148CFD 76

quit

!

username xxxxxxxx privilege 15 password 0 xxxxxxx

archive

log config

hidekeys

!

ip ssh version 2

!

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

class-map type inspect match-any sdm-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-insp-traffic

match class-map sdm-cls-insp-traffic

class-map type inspect match-any SDM-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 101

class-map type inspect match-all sdm-icmp-access

match class-map sdm-cls-icmp-access

class-map type inspect match-all sdm-invalid-src

match access-group 100

class-map type inspect match-all sdm-protocol-http

match protocol http

!

policy-map type inspect sdm-permit-icmpreply

class type inspect sdm-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

drop log

class type inspect sdm-insp-traffic

inspect

class type inspect sdm-protocol-http

inspect

class type inspect SDM-Voice-permit

inspect

class class-default

pass

policy-map type inspect sdm-permit

class type inspect sdm-access

inspect

class class-default

drop

!

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

!

interface FastEthernet0/0

description CONNECTION_TO_LAN_3750$FW_INSIDE$

ip address 172.16.16.1 255.255.240.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

duplex auto

speed auto

!

interface FastEthernet0/1

description CONNECTION_TO_INTERNET$FW_OUTSIDE$

ip address (external ip) 255.255.255.248

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 108.58.161.17

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside source static tcp 172.16.16.11 4370 (external ip) 4370 extendable

ip nat inside source static tcp 172.16.16.16 8080 (external ip) 8080 extendable

ip nat inside source static tcp 172.16.16.17 8081 (external ip) 8081 extendable

ip nat inside source static tcp 172.16.16.18 8082 (external ip) 8082 extendable

ip nat inside source static tcp 172.16.16.16 8080 172.16.16.16 80 extendable

!

ip access-list extended SDM_HTTPS

remark SDM_ACL Category=1

permit tcp any any eq 443

ip access-list extended SDM_SHELL

remark SDM_ACL Category=1

permit tcp any any eq cmd

ip access-list extended SDM_SSH

remark SDM_ACL Category=1

permit tcp any any eq 22

!

access-list 1 permit 172.16.0.0 0.0.255.255

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 108.58.161.16 0.0.0.7 any

access-list 101 remark SDM_ACL Category=128

access-list 101 permit ip any any

!

control-plane

!

line con 0

exec-timeout 30 0

logging synchronous

login local

line aux 0

line vty 0 4

exec-timeout 20 0

logging synchronous

login local

transport input ssh

line vty 5 807

exec-timeout 20 0

logging synchronous

login local

transport input ssh

!

scheduler allocate 20000 1000

ntp server 64.90.182.55

end version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PASCS_ROUTER
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable secret 5 $1$Znyz$M8Me9FKTO0yB/w2xUStt6.
!
no aaa new-model
clock timezone EAST -5
clock summer-time EAST recurring
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip domain name mydomain.com
ip name-server 167.206.112.138
ip name-server 167.206.7.4
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-4141110999
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4141110999
revocation-check none
rsakeypair TP-self-signed-4141110999
!
!
crypto pki certificate chain TP-self-signed-4141110999
certificate self-signed 01
30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313431 31313039 3939301E 170D3132 30393139 30373436
34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31343131
31303939 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AB76 5A57E8F2 F85E26C5 B850C38E 4F7E9148 1729FD72 36DB3FD0 1E42918D
BB44E448 739A88A0 145741A8 05335F58 307185D6 86FA5181 0C491D31 5C29E036
FF3336ED DBCB4C67 323E6841 63E7D27B B908562C 4E21DE16 508771F8 A5BB0ADE
0C0491E8 0536757D 525A39FA 25CF87EA 4942A86C 12006C5B 1BCCB491 C91602BE
C21D0203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
551D1104 1D301B82 19504153 43535F52 4F555445 522E6D79 646F6D61 696E2E63
6F6D301F 0603551D 23041830 16801469 2BFE28CC A4414F73 41E6DE91 AB0F5DEF
DF111B30 1D060355 1D0E0416 0414692B FE28CCA4 414F7341 E6DE91AB 0F5DEFDF
111B300D 06092A86 4886F70D 01010405 00038181 00162F4B 41EAF909 B62CD44E
CD58B75E 7F03D5D6 AD672FF4 84186DC6 0566007C 57D1560A 9FB66560 2A785A1F
11BFE322 20C4744E 8A946A5E A1607E9F 0798E750 4C6CE41B 2C19E059 52821ADB
C2958FC6 D93F0070 88A73CE6 A24798F5 5AE6BF8C 93870227 7E5884E2 D0532BD6
5D6EF0D0 726C3F41 74015555 EDCC019D 81148CFD 76
quit
!
!
username xxxxxxxx privilege 15 password 0 xxxxxxx
username xxxxxxxx privilege 15 password 0 xxxxxxx
archive
log config
hidekeys
!
!
!
!
!
ip ssh version 2
!
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect sdm-access
inspect
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface FastEthernet0/0
description CONNECTION_TO_LAN_3750$FW_INSIDE$
ip address 172.16.16.1 255.255.240.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
duplex auto
speed auto
!
interface FastEthernet0/1
description CONNECTION_TO_INTERNET$FW_OUTSIDE$
ip address (external ip) 255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 108.58.161.17
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 172.16.16.11 4370 (external ip) 4370 extendable
ip nat inside source static tcp 172.16.16.16 8080 (external ip) 8080 extendable
ip nat inside source static tcp 172.16.16.17 8081 (external ip) 8081 extendable
ip nat inside source static tcp 172.16.16.18 8082 (external ip) 8082 extendable
ip nat inside source static tcp 172.16.16.16 8080 172.16.16.16 80 extendable
!
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
!
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 108.58.161.16 0.0.0.7 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 30 0
logging synchronous
login local
line aux 0
line vty 0 4
exec-timeout 20 0
logging synchronous
login local
transport input ssh
line vty 5 807
exec-timeout 20 0
logging synchronous
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp server 64.90.182.55
end

Thank you.

Muhammad Thanveer · ‎10-22-2012

Hi,

By these commands

ip nat inside source static tcp 172.16.16.11 4370 (external ip) 4370 extendable

ip nat inside source static tcp 172.16.16.16 8080 (external ip) 8080 extendable

ip nat inside source static tcp 172.16.16.17 8081 (external ip) 8081 extendable

ip nat inside source static tcp 172.16.16.18 8082 (external ip) 8082 extendable

ip nat inside source static tcp 172.16.16.16 8080 172.16.16.16 80 extendable

You were trying to nat your internal ip to an external ip with the ports given.

For removing them you can write these

no ip nat inside source list 1 interface FastEthernet0/1 overload (if any nat rules present earlier they also will not work by this if they are already functioning.)

no ip nat inside source static tcp 172.16.16.11 4370 (external ip) 4370 extendable

no ip nat inside source static tcp 172.16.16.16 8080 (external ip) 8080 extendable

no ip nat inside source static tcp 172.16.16.17 8081 (external ip) 8081 extendable

no ip nat inside source static tcp 172.16.16.18 8082 (external ip) 8082 extendable

no ip nat inside source static tcp 172.16.16.16 8080 172.16.16.16 80 extendable

Try only this command

ip nat inside source static tcp 172.16.16.11 4370 (external ip) 4370 (this is for testing purpose, if you are able to do so then you can try all you want.)

interface FastEthernet0/0

description CONNECTION_TO_LAN_3750$FW_INSIDE$

ip address 172.16.16.1 255.255.240.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

duplex auto

speed auto

!

interface FastEthernet0/1

description CONNECTION_TO_INTERNET$FW_OUTSIDE$

ip address (external ip) 255.255.255.248

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

Make sure that 172.16.16.1 subnet should have internet access.

Please rate if the info is helpful....

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

baurkikacisco · ‎10-22-2012

it didn't work for me.

When tried this:

no ip nat inside source list 1 interface FastEthernet0/1 overload

it warned me that dynamic map could be deleted. So I didn't.

I coulde remove unnecessary port forwarding configurations.

And then I did this:

nterface FastEthernet0/0

description CONNECTION_TO_LAN_3750$FW_INSIDE$

ip address 172.16.16.1 255.255.240.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone (After this code it said that Interface is already member of zone in-zone)

duplex auto

speed auto

!

interface FastEthernet0/1

description CONNECTION_TO_INTERNET$FW_OUTSIDE$

ip address (external ip) 255.255.255.248

ip nat outside

ip virtual-reassembly

zone-member security out-zone (After this, message came: Interface is already member of zone out-zone)

duplex auto

speed auto

why it's not forwarding? What is the issue with configurations?

Thank you for trying.

Muhammad Thanveer · ‎10-22-2012

Hi,

The command you mentioned as below is written by you or it was there earlier? If it wasn't there earlier you can remove it.

ip nat inside source list 1 interface FastEthernet0/1 overload

and

zone-member security out-zone (After this, message came: Interface is already member of zone out-zone)

this message was given because the zone was already mentioned in the previous config.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

baurkikacisco · ‎10-23-2012

Hi,

Probably somebody else wrote that code before. The device's configuration was done by someone else whom I can't reach. That's why I tried to get help from this forum.

And you told me to do write this code. When I did it I got that message.

Why do you think port forwarding is not working? I don't have any information about configurations, but I searched other topics related with port forwarding, but couldn't find any solution for my case. Usually they want to know how to configure. Others who had issues they had this:

access-list 1 permit 172.16.0.0 0.0.255.255

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 108.58.161.16 0.0.0.7 any

access-list 101 remark SDM_ACL Category=128

access-list 101 permit ip any any

where they had DENY instead of permit. But in my case they all permit. I have no clue:(

I'll be glad if you can help me, even if not I am glad you are trying.

Thanks a lot.

Muhammad Thanveer · ‎10-24-2012

Can you provide the output for

show ip nat translation

term mon
debug ip nat detailed

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

cadet alain · ‎10-25-2012

Hi,

this is indeed a ZBF issue: you don't have any zone-pair security configured for traffic coming from out-zone and going to in-zone.

add this to your config:

access-list 150 permit tcp any host 172.16.16.16 eq 8080

access-list 150 permit tcp any host 172.16.16.17 eq 8081

access-list 150 permit tcp any host 172.16.16.11 eq 4370

access-list 150 permit tcp any host 172.16.16.18 eq 8082

access-list 150 permit tcp any host 172.16.16.16 eq 80

class-map type inspect OUT_TO_IN_PERM_TRAFFIC

match access-group 150

policy-map type inspect OUT_TO_IN_POLICY

class type inspect OUT_TO_IN_PERM_TRAFFIC

inspect

class class-default

drop

zone-pair security out-to-in source out-zone destination in-zone

service-policy type inspect OUT_TO_IN_POLICY

Regards.

Alain

Don't forget to rate helpful posts.

varununiyal · ‎10-24-2012

copy paste this in the config (make sure to copy paste and not type if you do not have console access)

interface FastEthernet0/0

no zone-member security in-zone

!

interface FastEthernet0/1

no zone-member security out-zone

After this checkyour NAT, if it works then the issue is with ZBF policies.